Two-Factor Authentication Hardens WordPress

WordPress is the most popular Content Management System (CMS) in use today. In fact, a recent study found that 60% of all websites running a CMS use WordPress. With this popularity comes a higher risk of hackers trying to compromise WordPress websites (WordFence has stopped 3.3 billion attacks in the last 30 days!). With the rise of online brute force attacks, hardening your WordPress website becomes even more important. Read on to learn how two-factor authentication hardens WordPress.

What is two-factor authentication?

For those not familiar with the term two-factor authentication, it simply combines something you know with something you have to create a more secure login. Banks use two-factor authentication with their bank card (something you have) and the PIN (something you know) combination.

For WordPress two factor authentication, the something you know is your username and password. The something you have is typically your smartphone. With two-factor authentication installed, your WordPress website will send an SMS text message to your smartphone that contains a six-digit code. You enter this code on your login screen and you gain access to the back-end dashboard.

Stop hackers in their tracks

This process stops brute force attacks because it is very unlikely that hackers will have your username, your password, and your smartphone.

There are a variety of different WordPress plugins available to add two-factor authentication to your website. Some plugins are free while others require a paid subscription. Some WordPress security companies include two-factor authentication as part of their complete security package.

The available plugins use different methods to enforce two-factor authentication. Some use the Google Authenticator app (there are versions available for Android and iOS) while others send a special code via SMS to your smartphone. Some plugins let you choose which method you use. We recommend the SMS text route as some of the Google Authentication plugins have not been updated recently (to work with versions 4.9 and 5.0).

Use Wordfence

We use the premium version of the Wordfence plugin on the websites we develop. Wordfence premium adds two-factor authentication along with a firewall, IP blacklist, malware scan, and country blocking. We also like the reporting we get from Wordfence. For example, every time an administrator logs in to one of our WordPress websites, we receive an email containing details on the username and their location. If the login looks suspicious, we simply contact the user to verify that they logged in from the location.